Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

When Spring Session combined with Spring Security is used, timeout cannot be detected.

See original GitHub issue

We are using spring-session and spring-security. The problem occured during version upgrade.

Timeout cannot be detected in version A. Previously, we have used spring-session and spring-security combination of version B.

version A spring-boot-starter-redis:2.0.4.RELEASE spring-session-data-redis:2.0.5.RELEASE

spring-session-core: 2.0.5.RELEASE spring-security-web:5.0.7.RELEASE

version B spring-boot-starter-redis:1.5.7.RELEASE spring-session: 1.3.1.RELEASE spring-security-web: 4.2.4.RELEASE

In version B, SessionManagementFilter.dofilter() of Spring Security was able to detect the timeout but, timeout cannot be detected in version A.

SessionManagementFilter.dofilter()

                if (request.getRequestedSessionId() != null
                        && !request.isRequestedSessionIdValid()) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Requested session ID "
                                + request.getRequestedSessionId() + " is invalid.");
                    }

                    if (invalidSessionStrategy != null) {
                        invalidSessionStrategy
                                .onInvalidSessionDetected(request, response);
                        return;
                    }
                }

We think that the return value of request.getRequestedSessionId() is different for each version. ※SessionRepositoryFilter$SessionRepositoryRequestWrapper.getRequestedSessionId()

version A : null version B : session ID

Does it work as planned ? Could you tell me how to detect the timeout ?

Issue Analytics

State:
Created 5 years ago
Comments:13 (8 by maintainers)

Top GitHub Comments

3reactions

btkukinomcommented, Nov 2, 2018

Sorry for being late.

I was able to confirm that it works well. Thank you very much.

0reactions

vpaviccommented, Nov 2, 2018

Thanks for following up @btkukinom!

Top Results From Across the Web

How to enable session and set session timeout in Spring ...

In your application properties use server.servlet.session.timeout=1m (If a duration suffix is not specified, seconds will be used.).

Session Management :: Spring Security

Detecting Timeouts You can configure Spring Security to detect the submission of an invalid session ID and redirect the user to an appropriate...

Spring Security Session - How to Control Session with Spring ...

A guide to spring security session management and how to control the session with spring ... Session Timeout detection and handling.

Control the Session with Spring Security - Baeldung

Configure Sessions with Spring Security - set up Concurrent Sessions, ... This control ranges from a session timeout to enabling concurrent ...

spring-projects/spring-security - Gitter

There is not controller implementing /login Spring security somehow itslef ... And I can't change session timeout, I always logout after default 15...